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IN THE CLAIMS: 
Amended claims follow: 

1 . (Currently Amended) A method for automatically generating a 
valid behavior specification for use in an intrusion detection system for a 
computer system, comprising: - 

receiving an exemplary set of system calls that includes positive examples 
of valid system calls, and possibly negative examples of invalid system calls; and 

automatically constructing the valid behavior specification from the 
exemplary set of system calls by selecting a set of rules covering valid system 
calls; 

wherein the set of rules covers all positive examples jn tlie exemplary set 
of system calls without covering negative examples; 

wherein selecting a rule for the valid behavior specification involves using 
an objective function that seeks to maximize the number of positive examples 
covered by the rule while seeking to minimize the number of possible system 
calls covered by the rule; 

wherein the objective function additionally seeks to minimize the number 
of privileged system calls covered by the rule and minimize a length of the rule . 



2. 



(Cancelled) 



(Cancelled) 



Docket: NA11P253/00.12I.01 



-2- 



PAGE 5115 * RCVD AT 3/30/2005 3:44:54 PM [Eastern Standard Time] * SVR:U5PTO-EFXRF-1/2 - DN1S:8729308 " CSID:408 971 4690 * DURATION (mm-S8):QV04 



Mar 30 05 12:53p 



SVIPG 



408 971 4G60 



p.G 



4. (Original) The method of claim 1, wherein the method further 
comprises monitoring an executing program by: 

receiving a system call generated by the executing program; 

determining whether the system call is covered by a rule from within the 
valid behavior specification; and 

if the system call is not covered by a rule from within the valid behavior 
specification, indicating that the system call is invalid. 

5. (Original) The method of claim 1, further comprising producing 
the exemplary set of system calls by running an exemplary program and recording 
system calls generated by the exemplary program. 

6. (Original) The method of claim 1 , where the exemplary set of 
system calls includes calls to fiinctions implemented by an operating system of 
the computer system. 

7. (Original) The method of claim 1, wherein the set of rules includes 
at least one Horn clause. 

8. (Original) The method of claim 7, wherein selecting a rule for the 
valid behavior specification involves: 

selecting a positive example from the exemplary set of system calls; 

constructing a Horn clause for the positive example by iterating through a 
subsumption lattice, starting from a most general possible clause and proceeding 
to a most specific clause for the positive example, and selecting a Horn clause that 
maximizes the objective fiinction without covering any negative examples; 
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adding the Horn clause to the set of rules in the valid behavior 
specification; and 

removing other positive examples covered by the Horn clause from the 
exemplary set of system calls, so subsequently selected Horn clauses do not have 
to cover the other positive examples. 

9. (Currently Amended) A computer-readable storage medium 
storing instructions that when executed by a computer cause the computer to 
perform a method for automatically generating a valid behavior specification for 
use in an intrusion detection system for a computer system, the method 
comprising: 

receiving an exemplar>' set of system calls that includes positive examples 
of valid system calls, and possibly negative examples of invalid system calls; and 

automatically constructing the valid behavior specification from the 
exemplary set of system calls by selecting a set of rules covering valid system 
calls; 

wherein the set of rules covers all positive examples in the exemplary set 
of system calls without covering negative examples; 

wherein selecting a rule for the valid behavior specification involves using 
an objective function that seeks to maximize the number of positive examples 
covered by the rule while seeking to minimize the number of possible system 
calls covered by the rule; 

wherein the objective function additionally seeks to minimize the number 
of privileged system calls covered by the rule and minimize a le ngth of the rule. 

10. (Cancelled) 
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11. (Cancelled) 

12. (Original) The computer-readable storage medium of claim 9, 
wherein the method further comprises monitoring an executing program by: 

receiving a system call generated by the executing program; 

determining whether the system call is covered by a rule from within the 
valid behavior specification; and 

if the system call is not covered by a rule from within the valid behavior 
specification, indicating that the system call is invalid. 

13. (Original) The computer-readable storage medium of claim 9, 
wherein the method further comprises producing the exemplary set of system 
calls by running an exemplary program and recording system calls generated by 
the exemplary program. 

14. (Original) The computer-readable storage medium of claim 9, 
where the exemplary set of system calls includes calls to functions implemented 
by an operating system of the computer system. 

15. (Original) The computer-readable storage medium of claim 9, 
wherein the set of rules includes at least one Horn clause. 

16. (Original) The computer-readable storage medium of claim 15, 
wherein selecting a rule for the valid behavior specification involves: 

selecting a positive example from the exemplary set of system calls; 
constructing a Horn clause for the positive example by iterating through a 
subsumption lattice, starting from a most general possible clause and proceeding 
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to a most specific clause for the positive example, and selecting a Horn clause that 
maximizes the objective function without covering any negative examples; 

adding the Horn clause to the set of rules in the valid behavior 
specification; and 

removing other positive examples covered by the Horn clause from the 
exemplar>' set of system calls, so subsequently selected Horn clauses do not have 
to cover the other positive examples. 

17. (Currently Amended) An apparatus that is configured to 
automatically generate a valid behavior specification for use in an intrusion 
detection system for a computer system, comprising: 

a receiving mechanism that is configured to receive an exemplary set of 
system calls that includes positive examples of valid system calls, and possibly 
negative examples of invalid system calls; and 

a specification construction mechanism that is configured to automatically 
construct the valid behavior specification from the exemplary set of system calls 
by selecting a set of rules covering valid system calls; 

wherein the set of rules covers all positive examples in the exemplar>' set 
of system calls writhout covering negative examples; 

wherein the specification construction mechanism is configured to select a 
rule for the valid behavior specification by using an objective fimction that seeks 
to maximize the number of positive examples covered by the rule while seeking 
to minimize the number of possible system calls covered by the rule; 

wherein the objective function additionally seeks to minimize the number 
of privileged system calls covered by the rule and minimize a leng th of the rule. 

18. (Cancelled) 
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19. (Cancelled) 

20. (Original) The apparatus of claim 17, wherein the apparatus further 
comprises a program monitoring mechanism that is configured to: 

receive a system call generated by an executing program; 

determine whether the system call is covered by a rule from within the 
valid behavior specification; and to 

indicate that the system call is invalid, if the system call is not covered by 
a rule from within the valid behavior specification. 

21 . (Original) The apparatus of claim 1 7» further comprising a trace 
generation mechanism that is configured to produce the exemplary set of system 
calls by ruiuiing an exemplary program and recording system calls generated by 
the exemplary program. 

22. (Original) The apparatus of claim 17, where the exemplary set of 
system calls includes calls to functions implemented by an operating system of 
the computer system. 

23. (Original) The apparatus of claim 17, wherein the set of rules 
includes at least one Horn clause. 
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24. (Original) The apparatus of claim 23, wherein in selecting a rule for the valid 
behavior specification, the specification construction mechanism is configured to: 

select a positive example from the exemplary set of system calls; 

construct a Horn clause for the positive example by iterating through a subsumption lattice, 
starting from a most general possible clause and proceeding to a most specific clause for the positive 
example, and selecting a Horn clause that maximizes the objective function wthout covering any 
negative examples; 

add the Horn clause to the set of rules in the valid behavior specification; and to 
remove other positive examples covered by the Horn clause from the exemplary set of 

system calls, so subsequently selected Horn clauses do not have to cover the other positive 

examples. 

25. (Previously presented) The method of claim 1, wherein the objective function includes: 
fh^^eu- (gf, + Cm), where: 

gA = the generality of clause h; 
Ph ~ the privilege of clause h; 
c\x = the length of the clause /?; and 
eh — the explanation power. 

26. (Previously presented) The method of claim 25, wherein the values gh and ph are 
normalized to range from 1 to the total number of valid traces. 

27. (Previously presented) The method of claim 26, wherein the value/is set to favor 
short, low-privilege, and low-generality clauses while explaining examples in many u-aces. 

28. (New) The method of claim 25, wherein the explanation power is a number of valid 
traces that can be at least partially explained by the clause h. 
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